3 True Stories of Missing Source Code Security

Published on April 06, 2015, by Sebastian


… and how it could had been avoided.

You likely have noticed the potential for security breaches around. There are threats from hackers, spies, corporate raiders, terrorists, professional criminals, and vandals – all leading to damages to the enterprise infrastructure and sometimes even the business itself. But one key aspect of security often missing from the discussion is protection of the source code. Not only is this aspect overlooked, it has amazing potential to cause serious harm in a multitude of obvious and not so obvious ways.

At RhodeCode, we see a lot of situations that underscore just how important the subject of source code security is in managing a software release. Here are three recent examples.

#1 The Internal Job

In August of last year at a large event in the San Francisco Bay Area, while checking in event goers, producers noticed that many tickets were duplicated. Unlike the common case where you would see one ticket number duplicated many times, these duplicate tickets were unique and seem to be perfectly sequenced mirroring actual valid tickets.

While a lot of effort was paid by the ticketing agency to prevent actual ticket duplication, it turned out that the exposure for fraud was behind the scenes through access to the source code. Indeed, a rogue employee had stolen the number generators and keys to generate authentic serial numbers. What was unfortunate is that the employee should never have had access to the entire code base. In this case, the employee only had a role in reviewing part of the source code. How can enterprises restrict who has access to source code?

For example by using RhodeCode Enterprise 3 to manage secure credentials, permissions, and authentication through LDAP & Active Directory integration. It allows you to set permissions according to somebody’s role rather than read or write to an entire repository for complete source code security.

#2 Breaching the version control process

One US company in the education software space I recently visited took extreme lengths to protect their production enterprise applications against exploitable vulnerabilities. The focus of their effort was to ensure the integrity of code that was checked in passed rigorous assessments. Versions were evaluated and approved before being committed to ensure that no back doors or unintended holes could be exploited.

Despite this rigorous effort, vulnerability was exposed – it happened to be a backdoor in code that was already identified as such and thought previously corrected. In this case it was in a situation where an employee changed the version number causing a previously fixed the bug to reappear in the final product. Imagine how a wrongdoer could have leveraged changing version control numbers without a system that strictly manages versioning.

RhodeCode Enterprise 3 instead manages version tags and even enforces digital signing of revisions allowing for full auditing of change control.

#3 Exposing from the Cloud

A large enterprise had acquired a smaller company and its immense and valuable code base. The mother company partly used a Git hosting cloud service, and the acquired company used Subversion hosted on their own servers.

Because the source code management system currently being used did not support Subversion, one of the first things the mother company did was to attempt to convert the acquisition company’s file system repository to Git. Not only was this messy, error-prone, and time consuming, much of the revision history was lost in the process and a lot of manual fixing of trunks had to take place.

After this effort was completed, an employee realized that during this transition hundreds of thousands of dollars of code had accidentally exposed to the public! Not only is this a potential loss of asset, but exposing the code in such a manner also allowed hackers an opportunity to look for vulnerabilities to exploit.

RhodeCode realizes that developers want to use their file management system of choice – it allows Subversion, Git, and Mercurial to all be supported under one umbrella interface inside RhodeCode Enterprise 3. Additionally RhodeCode ThodeCode Enterprise 3 can be run securely on your own server behind your firewall. This allows you to make sure access is maintained and also allows additional source code security measures to be taken by IT, for example, you can add your own intrusion detection system.

Introducing Source Code Security

These three real-life stories emphasize source code security is a big deal and has serious consequences. RhodeCode Enterprise 3 was built with security and compliance as key aspects of what large enterprises need to manage. Our methodology and implementation have been hardened in close cooperation with US military and several of the top financial services organizations.

The platform resides behind your firewalls in your data centers and private clouds, isolated from the risks of public access via network. In addition, our extensive, fine grained access & permissions system and integrated user management removes repository management overhead and secures your code with IP restrictions, always-on SSL, LDAP support, and code freezes which provide download blocking for auditing purposes.

While focus needs to be maintained on writing secure source code, don’t forget access to source code as an often-overlooked but key aspect of security. Check it our for yourself, download RhodeCode Enterprise 3 for free today to introduce proper source code security.